Description
import_read_package_data() and import_package() in lib/import.php select
the OpenSSL hash algorithm based on public key string length:
if (strlen($public_key) < 200) {
$ok = openssl_verify($xml, $binary_signature, $public_key, OPENSSL_ALGO_SHA1);
} else {
$ok = openssl_verify($xml, $binary_signature, $public_key, OPENSSL_ALGO_SHA256);
}
SHA-1 is vulnerable to chosen-prefix collisions. A crafted package with
a short key forces SHA-1 evaluation. This is a hardening measure since
package import requires admin access.
Remediation
Remove the key-length conditional. Use OPENSSL_ALGO_SHA256 unconditionally
at both call sites (lines 453 and 560).
Description
import_read_package_data() and import_package() in lib/import.php select
the OpenSSL hash algorithm based on public key string length:
SHA-1 is vulnerable to chosen-prefix collisions. A crafted package with
a short key forces SHA-1 evaluation. This is a hardening measure since
package import requires admin access.
Remediation
Remove the key-length conditional. Use OPENSSL_ALGO_SHA256 unconditionally
at both call sites (lines 453 and 560).